Skip to content

Critical severity vulnerability that affects slpjs

Critical severity GitHub Reviewed Published Nov 15, 2019 in simpleledger/slpjs • Updated Jan 9, 2023

Package

npm slpjs (npm)

Affected versions

< 0.21.4

Patched versions

0.21.4

Description

Validator parsing discrepancy due to string encoding

Impact

A specially crafted Bitcoin script can cause a discrepancy between the specified SLP consensus rules and the validation result of the slpjs npm package. An attacker could create a specially crafted Bitcoin script in order to cause a hard-fork from the SLP consensus.

Patches

All versions > 0.21.3 are patched.

Workarounds

Upgrade to any version >= 0.21.4.

References

The bug was located and fixed here.

For more information

If you have any questions or comments about this advisory:

References

@jcramer jcramer published to simpleledger/slpjs Nov 15, 2019
Published to the GitHub Advisory Database Nov 15, 2019
Reviewed Jun 16, 2020
Last updated Jan 9, 2023

Severity

Critical

EPSS score

0.072%
(33rd percentile)

Weaknesses

CVE ID

CVE-2019-16762

GHSA ID

GHSA-425c-ccf3-3jrr

Source code

No known source code
Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.